def _search_for_immediates(self):
for immediate in self..IMMEDIATES.keys():
ea = 0
while ea != idc.BADADDR:
(ea, n) = idc.FindImmediate(ea, idc.SEARCH_DOWN, self._twos_compliment(immediate))
if ea != idc.BADADDR:
func = idaapi.get_func(ea)
if func:
self.IMMEDIATES[immediate].add(func.startEA)
def find_wdf_callback_through_immediate(mnemonic, operand, val):
for i in range(10):
addr, operand_ = idc.FindImmediate(idc.MinEA(), idc.SEARCH_DOWN|idc.SEARCH_NEXT, val)
if addr != idc.BADADDR:
#print hex(addr), idc.GetDisasm(addr), "Operand ", operand_
if operand_ == operand and idc.GetMnem(addr) == mnemonic:
return addr
else:
break
return None
def _search_for_immediates(self):
self.funcs = {}
for immediate in constants.constants.keys():
ea = 0
while ea != idc.BADADDR:
(ea, n) = idc.FindImmediate(ea, idc.SEARCH_DOWN,
self._twos_compliment(immediate))
if ea != idc.BADADDR:
func = idaapi.get_func(ea)
if func:
s = self.funcs.get(func.startEA, set())
s.add(immediate)
self.funcs[func.startEA] = s
else:
for xref in idautils.XrefsTo(ea):
func = idaapi.get_func(xref.frm)
if func:
s = self.funcs.get(func.startEA, set())
s.add(immediate)
self.funcs[func.startEA] = s
def findImmediate(self, range_start, range_end, value):
"""Return all of the places (in the range) in which the immediate value was found.
Args:
range_start (int): ea of the range's start
range_end (int): ea of the range's end
value (int): value of the searched immediate
Return Value:
collection of ea's in which the value was found
"""
search_pos = range_start
while search_pos < range_end:
match_ea, garbage = idc.FindImmediate(search_pos, idc.SEARCH_DOWN, value)
search_pos = match_ea + 1
# Filter out mismatches
if match_ea == idc.BADADDR:
break
# return the correct result to the caller
yield match_ea
print hex(ea), idc.GetDisasm(ea)
addr = idc.FindData(ea, SEARCH_UP | SEARCH_NEXT)
print hex(addr), idc.GetDisasm(addr)
# idc.FindUnexplored(ea, flag) 该函数用于查找IDA未识别为代码或者数据的字节地址. 未知类型需要通过观察或者脚本进一步分析
ea = here()
print hex(ea), idc.GetDisasm(ea)
addr = idc.FindUnexplored(ea, SEARCH_DOWN)
print hex(addr), idc.GetDisasm(addr)
# idc.FindExplored(ea, flag) 用于查找IDA标识为代码或者数据的地址
ea = here()
addr = idc.FindExplored(ea, SEARCH_UP)
print hex(addr), idc.GetDisasm(addr)
for xref in idautils.XrefsTo(addr, 1):
print hex(xref.frm), idc.GetDisasm(xref.frm)
# idc.FindImmediate(ea, flag, value) 用于寻找确定的数值 例如rand()函数使用的随机种子
addr = idc.FindImmediate(MinEA(), SEARCH_DOWN, 0x343FD)
print "0x%x %s %x" % (addr[0], idc.GetDisasm(addr[0]), addr[1])
# 查找所有的指定立即数
addr = MinEA()
while True:
addr, operand = idc.FindImmediate(addr, SEARCH_DOWN | SEARCH_NEXT, 0x5c)
if addr != idc.BADADDR:
print hex(addr), idc.GetDisasm(addr), "Operand", operand
else:
break